Cybersecurity & Data Privacy Insights

By the time you are reading this guidance, your business has likely been operating under a shelter in place order or perhaps even a governmental quarantine in response to the Coronavirus pandemic, and your staff has been operating remotely for an extended period.  While it may be too soon to fully assess whether remote access and teleworking is functioning optimally for your business, it is not too soon to ensure that the process of remote access and telework is being undertaken on the enterprise level in a safe and diligent fashion. Indeed, this is a responsibility that should be addressed from the Board of Directors and C-suite level down to the factory floor.

While the topic of remote access and its impact on cybersecurity could fill up volumes, there are two aspects of remote access and telework that businesses of all sizes need to acknowledge and address immediately. First, while remote access and telework were on the rise before the Coronavirus Pandemic, they are now most assuredly an integral part of your business for the foreseeable future. Your customers and staff expect you to be able to keep your business open through remote operations, and the harsh reality is that businesses that cannot operate remotely in some capacity have less chance of success during periods of shelter in place orders, governmental quarantines and social distancing.

Second, with more staff utilizing remote access and telework during the pandemic, the likelihood of your business’s information technology and the data stored thereon being exposed through cyber-breaches and attacks has grown exponentially.  There are countless articles explaining the inherent dangers of remote access and telework, but the theme that permeates them all is that working remotely comes with its own set of dangers and that hackers and cybercriminals who have already been relentlessly attacking businesses through email and phishing scams, DDoS attacks, ransomware and social engineering, have already increased their attacks on businesses using remote access.  Simple changes in your staff’s routines caused by new procedures can throw them off balance and create an opportunity for a hacker to exploit.

Published on:
Updated:

Eric Levine,  Cybersecurity & Data Privacy co-chair of Lindabury, McCormick, Estabrook & Cooper,  was quoted by Legaltech news, in a recent article concerning the coronavirus’ impact on law firms.  Eric says “the firm is proactively reminding the firm’s lawyers and staff to remain vigilant against coronavirus-related phishing emails.

“From a cybersecurity and data privacy standpoint, people must be aware that the virus itself presents an opportunity for hackers and wrongdoers to gain access to resources,” he said. “I sent an email to our staff and attorneys with an article saying to be careful for these types of email scams, they’re more potent because they’re tied to a health scare.”

To read the full article as published online at Law.com click here, a subscription may be required.

Robert Anderson, a shareholder at Lindabury, McCormick, Estabrook & Cooper and a member of the firm’s Cybersecurity & Data Privacy practice group was recently questioned by Tom Hughes of ROI-NJ, regarding the reasons a business should consult an attorney to oversee cybersecurity planning and preparation.  In short; the answer is: attorney-client privilege.

If you have a breach and your company gets sued — and it will, Anderson said — having all of your preparation protected could result in huge savings of both money and reputation. Anderson, speaking at a recent ROI-NJ Thought Leadership Series panel, explained how. “When you’re first starting to put together a program to protect your company, one of the things that you will typically want to do is hire someone called an ethical hacker, who will try to get into your system,” he said. “The results of this kind of a penetration testing that determines the vulnerabilities and weaknesses in your system will be in a report that goes on for pages and pages of all the problems in your system. If you do end up with an attack and end up in litigation, Exhibit A in the litigation is going to be this detailed report that shows all the vulnerabilities of your system, and they’ll be able to see how you elected to prioritize the problems. “The litigants are then going to say you knew you had these vulnerabilities and spot the one you didn’t fix.” Having legal counsel order the penetration test would likely shield that document by virtue of attorney-client privilege, Anderson said.

You may visit ROI-NJ to read the full article or download a copy here.

Andrew Gibbs, a member of Lindabury’s Cybersecurity & Data Privacy practice group, is quoted in a recent issue of NJ-ROI concerning the confusion surrounding the argument to purchase insurance protection plans focusing on cybersecurity issues.  Andy says, “Cybercriminals are starting to target smaller and mid-sized businesses.  Those companies need to start making this more of an important consideration. It’s true that a lot of companies might still be saying, ‘I’m not sure I need this — it’s too expensive but the reality is, this insurance is not that expensive compared to the actual cost of a loss from a cyberattack.”

You can read the full NJ-ROI article here.

Published on:
Updated:

Eric Levine, co-chair of Lindabury’s Cybersecurity and Data Privacy practice is quoted in a recent issue of NJBIZ regarding the growing digital threat often disguised as a legitimate-looking email.  Eric says that when our firm receives an email in regards to a bank transaction, “We won’t cut a check against it until it clears our financial institution, and then we’ll wait up to another 10 days.   It can be an inconvenience for a client, but this way we know the money is good.”

To read the full NJBIZ article click here.

Published on:
Updated:

In a recently published article by Relias Media, Andrew Gibbs says “It is useful to think of cyberinsurance as filling in gaps in existing insurance coverage.  Cyberinsurance can fill in gaps, and in some cases give you interlocking or overlapping coverage.  A large organization might have a crime policy with a social engineering endorsement, and then if you get a standalone cyberpolicy that also has social engineering coverage, you’ll have an overlap. That overlap helps protect you because those policies are going to limits and exclusions that might be overcome by the other policy.”

“There may be higher deductibles for certain kinds of cyberlosses, so healthcare organizations should get with their brokers or lawyers and try to maximize the coverage they can get within their financial restraints,” Gibbs says. “They also should watch carefully for exclusions and language that lessens the coverage.”

You may download the full article here.

Published on:
Updated:

Eric Levine, co-chair of Lindabury’s Cybersecurity & Data Privacy practice group spoke recently to attendees during NAIOP New Jersey’s final installment of their “Future Proof Your Buildings” series.

Coverage of the event by Real Estate Weekly was recently published providing highlights and strategies for ensuring security of smart cities throughout the state.

Eric says he believes liability is one of the fundamental risks facing building owners.

Published on:
Updated:

Eric Levine and Robert Anderson co-authored the recently published article in Training Industry addressing the need of businesses to assess their own cybersecurity risks and openly exchange internal information to effectively address and mitigate an actual breach situation. Yet a company’s internal assessments of its own weaknesses and the holes in its cybersecurity protections can, ironically, actually expose the company to even greater danger in future security breach litigation.

Read the full article online here.

Training Industry, Inc. (Dec. 18, 2018). How Cybersecurity Training Protects Your Organization Even After a Breach.

 

Published on:
Updated:

Originally published in the October 2018 issue of HR News.

Combatting cyber-threats and protecting data is not only the job of an IT department. Human resource professionals play a critical role in safeguarding personally identifiable information as well. Indeed, if there is one area in every company that has in its possession a literal treasure trove of sensitive information, it is Human Resource. Who else has access to employees’ names, addresses, dates of birth, social security numbers, bank account information (for direct depositing of paychecks), health and medical information (originating form health insurance applications, flex plan reimbursement materials) and financial information, especially if your company has a self-directed 401K plan and contributions are automatically deducted from payroll. Needless to say, a data breach implicating your Human Resources department could be devastating. So what can you as a human resource professional do to assist in maintaining the integrity of your company’s data? Plenty.

Collaborate with IT and Legal departments:

Published on:
Updated:

Eric Levine, Lindabury’s Cybersecurity & Data Privacy Group Co-Chair provided insight to SC Media for their recent white paper, Hiding in Plain Sight.  Eric suggests that an organization consider and understand what types of data might be vulnerable to attack in order to understand the implications of responding to unauthorized accesses of that information.

You can download a copy of the white paper here.

Published on:
Updated:
Contact Information